Red teaming w Polsce

One, two, three, four. Are you all full? Happy? We can sleep now. We have few changes, you probably know. I will be talking about Mateusz, Mateusz will talk later. Red Teaming in Poland. Who has already seen this presentation? Hands up. Okay, I don't know what you are doing here, but thank you for being here. I paid you, actually. My name is Borys Słonski and I will talk about penetration tests, specific tests, like red teaming. We have been working in Logical Trust for over 10 years, we do penetration tests, we test web applications, mobile, internet, corporate network and of course people. If you combine all of this, we have a red teaming test. I hope you know about it, but We educate people, we do various weird actions, for example,

we did "sprawdźpesel.pl" and people entered their PESEL number here, as there was a loud action with PESELs, as banks were stolen, we also did "sprawdź swoje konto bankowe" and we play in different ways to educate people. As for tests like red teaming, if someone did not know, These are tests in which we can do a lot. Not everything yet. I always joke that we are not yet catching up with employees, we are still waiting for such an order. However, you have to imagine it as not a classic penetration test where the client comes and says, for example, we would like to check a given period, only a given web application or a given part of

the infrastructure, but comes for a slightly different purpose. The client asks: show us how to steal us. We are talking about certain rules, but if we compare it to a bank, for example, if you imagine it, then some kind of tax scan would be, for example, a daily walk near such a building and check whether the windows are closed or open. Penetration test, for example, of the verification system. and authorization, for example, approach to the door and attempt to cheat the lock, lock picking, maybe breaking the hinges, maybe going through this clock. In any case, it would be more a test of a specific solution in a specific range. In Red Team, the task is: we want to see how you can frame a bank. And now whether

you think that you will hire a worker or go down the line on the roof or on the parachute, it doesn't matter. The client wants to see how fast and cheap someone would steal them, of course, so that he could be safe. This is a very simple teaming approach. Of course, we set certain rules. It is always the case that there is one or two people on the client's side who know that such tests are being performed. We discuss with them what we can do and what we can't do. For example, the proverbial "kidnapping people" and "not kidnapping people". We are meeting for specific IP address, their address classes, their services, specific hours, specific activities that we can perform, for example, we can send phishing, we

can send malware, we can physically enter the company, we can test wireless network, we can check what their services look like from the perspective of access to the network. Here is the last point - emergency plans. It is important that you always have such a plan if something goes wrong. If you do something on the Internet, of course, there is no great tragedy, but if you go to the company and someone catches you because he will think that you want to steal a laptop, the situation is a bit different. You have to coordinate it correctly, know that the decision-maker is in the company, not on holidays and you will shout: Mr. Adam Kowalski, Mr. Adam Kowalski, don't beat me, Mr. Adam Kowalski, go to him, he is on

vacation and beat you further. You have to be very careful and plan it all in the right way. As in any penetration test, even in such a specific one as red teaming, it is more or less divided into three phases. At the beginning, we plan, set the rules, what we will do, what we will be able to do, how we will do it and in red, this is the most important part, really. Well-made teaming is 80% of work in reconnaissance, i.e. all the information you can get about the company, employees, building, rooms, other companies that are nearby, about what the company is doing, whether it is today at a conference, tomorrow, for example, it enters

the stock exchange, the day after tomorrow something else, you collect all this information, you aggregate it, of course, from the generally available sources, try to do it passively, plus some delicate, active such as emails, phones, to learn about antivirus systems, companies, etc. And finally, we come to the attack, which is also set in some time frames. And that's basically it when it comes to red teaming and planning your approach. The simplest thing, if you want to get a budget in your company for anything from security, is the phishing issue. You always manage to get passwords. This is an example from a few months ago. 30% of employees give their passwords in 15 minutes. And here

are some other values. This is something that can be done quite simply. Imagine in the simplest version that you buy an Internet domain similar to yours, with one letter changed. You can create your own hosting or web hosting with emails and send emails to employees. This will be an attempt to incline them to click on something. For example, there is a new website and to check that the president asks for anything on this site. Or to verify access to some x application because there was an update. Whatever you come up with, people will click on it and will give you these logins and passwords. I guarantee you that it hasn't happened yet that someone didn't

respond. We had a situation even this week where the company reacted very quickly, a small company because several dozen people and they reacted very quickly because within 30 minutes from the moment we sent the emails, they already started to communicate on Slack that there was an attack and not to click on these messages, but we already had a few passwords and these passwords fit into various other We also read the Slack, because we stole their data before, so we monitored what was happening in their company from the perspective of reacting to the incident. A few adventures related to phishing. We had situations where, for example, an IT officer started to enter in these forms with

login passwords, of course, without stars, various funny invectives to us. You have to remember that If this situation happens, it is also a test for the company from the perspective of how they manage the incident, what they do, how they react. If your employees curse the people who attack you, then this is not the best way to manage the incident. Because if there is a 16-year-old who stole your entire database and he is still trying to pull out additional passwords and you write to him that he is thick and unpleasant then expect that it may get angry and immediately publish this data on some forum We had a situation that once the IT department wrote scripts and they started attacking

our server they started to fill this form with questions In fact, in the first attempt they should block access to their networks, to IP addresses, to domains, so that employees could not use, and not to DDoS us and waste time on it. Of course, we had a server in the cloud, so we just clicked 32 processors in the drive, we observed this attack, it was not a problem, it was a simple attack, so we coped with it. We had a situation where in the recovery phase we did not realize that a few weeks earlier one of the women at work changed her name. and she didn't change it on social profiles and somewhere in the CC header her old name appeared And someone noticed

it because sometimes we send emails that are not visible on the header, that they are addressed to a given person. Sometimes we send, depending on the company, several email addresses. Then others see that there are employees on the list, so we trust such messages too. It really depends. In this case, once it worked for our disadvantage because someone realized that there is an email, an employee who has had a new name and email for several weeks and this person started running running employee, IPS system that detects and fights incidents and it's very cool because it was a guy who ran around the company on three floors and shouted: "Don't click on the message that says

something happened there" it was cool because it shortened the time and we had a low efficiency, about 30% of all passwords. It also works very well. We had a situation that the company blocked accesses to firewalls, but only to employees who were in Poland. And we attacked several countries globally. In addition to the fact that they reacted quickly in Poland and blocked it, we also received passwords from various companies, from their departments abroad. If we talk about the correct programming, I will simplify it a bit. Imagine something that we send to the employee or he downloads it from the website and that can be everything. It can be a page that will be different, for example, one letter. It will look like a page that sells tickets and there

will be information on this page that there is a concert in Warsaw, soon your favorite band. You like Justin Bieber, so you click on this message. We know it from the Reconnaissance, from LinkedIn, Facebook, etc. You are interested in this concert and click on an additional information link. This is a file that the employee will run and give us his or her robot station. In the simplest version, what is still working today, but fortunately more and more companies block it there are over a hundred techniques to avoid it, but in the simplest version you create a document of the Office package in which you turn on the macro And this macro gives the workstation. Of

course, the employee must click "Enter macro" and then you do something like that. You choose a font, a symbol, you add a message that it is an older version of Microsoft Office. Here, of course, you choose it. If the company is more foreign, then you choose it, you create it in English, etc. There is still a huge efficiency, if it is not technically well secured, if the macros are not only accepted, signed in the company, it slowly began to change and it happened, then in the simplest version you can check if people will click on it and make any recommendation from Shell, PowerShell, anything, cheers. We had a situation where for example IT started the

connector because the connector did not work, something went wrong, it gave us its workstation and sent the connector to the IT department and said I have a problem with the file, it does not work and the administrator with the permissions of the domain clicked on this connector too. We had such a situation, it shortened our path and the way. Such things also happen, you have to remember that The process of handling such files is also quite complicated and needs to be well constructed. We had a situation where at one workstation, some time ago, we were listing We see that these are two antivirus systems. It was a record and they did not fight each other

in this case. Sometimes it is difficult to install two antivirus systems. It was a success. It is important that you separate the network. We talk about this from the beginning. for over 10 years at various conferences if we take a workstation from HR department and this workstation is in one network with servers where there are source codes it will really take us a day to get access to these source codes this separation of the network helps because it limits the possibilities you have to jump between servers between services it takes time Antivirus? I don't remember the name at the moment, but I will officially say it. We also test what the employees do with pendrives. And here again,

of course, the simplest way is to introduce your company. If you have a decision-making agreement, you will do a simple pendrive. You make a file there, which will be called list-divisions.pdf.exe. The simplest way, don't think about it. or a list of salaries or the list of the president's pension, everyone will click on it although the release or action on fear has great effectiveness in new systems, of course, .pdf, .exe will be hidden, because it is a known extension, so it will look like pdf download a program from the internet that changes the icon of this exe to pdf, to Adobe Reader and so on Of course, the user must click on the start button, etc.

In the more advanced version you can buy such a solution, I hope you all know it, rubber ducks, i.e. a keyboard in pendrive. Here you can sew some payload, i.e. after connecting such a device, enter any command. I don't know, "take the wrong programming, press enter" etc. This is usually done in PowerShell, it also depends on the company. There are also Aliexpress passwords, it costs about 200-300 PLN, there are passwords for 20-30 USD So you can program it your way and it also works sometimes We talked about this year, but I added this slide. We had a situation where the client had a virtual machine separated, at least that was the assumption at the beginning. The client had a machine with a

Quake 1 server and Mateusz from our team found two mistakes, such as zero day. One error - enabling the administrator to get the right in the Quake server. You could change the map, throw people away. And the second error, which with the administrator's permission could be made on the system server's web page And later it turned out that this separation was not done well, there we found more errors, we added 30 servers on the backend We had a situation where in the company network, the first thing the client had to do was to get to the network. There was a commercial CMS to which we did not have access to, there was a strong policy

of passwords, brute force, nothing worked. There was such a rule that we cannot use social technology. Therefore, we asked the company that creates this CMS to give us a demo account. We got this demo account, we saw how the questions are constructed, we assumed that there is a chance that there will be some vulnerabilities related to logging and we already attacked the platform, this client, it turned out that we managed to take one account. On the backend, between the servers, it turned out that somewhere on one of the servers there is a very simple password to a known account. One of the servers had wrong permissions and it turned out that it was a test

image of a virtual machine that had 4 GB. We downloaded it, opened it and it turned out that it was Linux. We went to etc.shadow, we broke the password and it turned out that this password is also used for the Windows server. On this Windows server there were www services. We finally adopted administrator's license in web error and we started to understand more or less how they create passwords, because we had more and more passwords. Finally, we adopted administrator's account "ad", which is basically a game over. In the end, it turned out that in order to log in to VMware, it is enough to mark this checkbox "ad is believable", so when we had this

license, we also adopted over a hundred servers that we could manage them physically turn on, turn off, copy, etc. We also had a situation where there were CCTV cameras on the Internet, of course there was a panel of this camera, but as you know, all these devices are usually written quite poorly when it comes to quality and safety. And the fact that this camera has a convincing panel does not mean that you should not cut it off from the Internet only to the known IP addresses and connect to them via VPN. We have created a firmware for this camera on some websites This firmware was encrypted in some way We have come up with a way to decode it We have gained access to this

We found a mistake in the web application, we had source codes, we could download configuration data, for example, the administrator password. We logged in to this camera and found another mistake. which with this data allows us to run our own code we have already taken this server to CCTV and there it turned out that in the network it was possible to make network attacks on the second layer sniff the network and in fact also get a lot of sensitive information when it comes to physical security There are many different gadgets, some of them you know, for example Pineapple etc. It all depends on what will be done on a given location, whether you will need to clone the cards or listen to

Wi-Fi etc. Sometimes we take full suitcases to the car and we take it to a given location It is important that during the physical tests, in addition to the insurance I mentioned, you had a well-designed history. They knew as much as possible about the purpose. They knew what companies are in the building, they knew what this company is doing, at what time the employees come and go, what this building looks like. You can do it during the reconnaissance phase, you can use it for everything, even with Google Maps sometimes before we even appear in front of the building, we watch the whole building from Google Maps from all sides, we watch where there may be

exits, some additional emergency entrances to the building and it is also useful. We had a situation where once on the stairs, such external ones, where basically employees very rarely walked, but we scanned the wireless network and somewhere I went upstairs with some small device, and a man was going down the stairs, because normally everyone rode a elevator and this elevator was constructed in such a way that usually employees moved elevators, but maybe he wanted to do some sports, he went down and walked down and walked down a few stairs and wondered what we were doing, because there are several floors and his employees walk there, he turned around and asked what he was doing here.

I had a prepared story, that in the building there is a lot of many doctors' offices complain that there is a weak cellular range The company that manages the building wants to install GSM amplifiers on the building and we go, check, verify how this network looks like. He was surprised that some piece of the antenna can protrude from my backpack, etc. etc. He said OK, in general, a convincing story. He thanked and went on. We met later at the summary meeting. He already knew then that OK, it's us. It was not like We talked about the control system of access. You can clone most card systems. In Poland, you can clone a card, you have to go to the

device in Starbucks. and clone from people, you have a 20-30 cm card for cloning but in fact you can make it much easier and in fact most companies, offices enter completely without any cloning simply talking to people, going in for people watching how a given company looks like, a given solution We had a situation where we went to the company and realized that the entrance to the company in the morning looks like this, that there is no reception in the morning and the employees are already coming, they are replying with cards, they open the door and enter, they go into a long corridor, these are the first office rooms, they go to the next ones and basically they are not interested in anything,

they just go blindly. We came up with an idea to go in and find the employee. The employee didn't realize it and I went into the room and I'll tell you what was going on there. We had a situation where we had to use a card to get to the employees' floor. And we discovered in the reconnaissance phase that on the 7th or 8th floor there is a public service, for example a gym. You can enter there by pressing the 7th floor and you could go down the stairs and open the door to the corridor, which was normally closed because you had to have a card. Again, a simple mistake. security that enabled us to

enter. Once we had such a situation, and this is also related to red teaming, that a lot is happening live and you have to assume that something unexpected can happen. Once we had such a situation in the reconnaissance phase, that taking photos from hidden cameras, recording the entire room, how the corridors look, etc. There was a situation that one door did not close. Later, as the conversation turned out, they were broken and sometimes they did not close. Then I took advantage of the situation and went to the company. I will also tell you what happened in the rooms. At that time, I did not have a whole set of gadgets with me, but I had

two or three devices and it helped very much. We had such a situation that after entering through these open doors, I found one office room where no one was. I leave this device, a small computer like a pack of cigarettes, like 2-3 smartphones, I connect it to LAN, to Ethernet and leave it. It was downloading the DHCP address and got access to the Internet. It leaves us a channel to be in their corporate network. I spent 5 minutes in this room, I left the device in the room, I also connected it to the power supply and that's how it stayed for a few days, because we also wanted to verify it with the client, if someone is interested

in it, that somewhere in Gąszcz there is such a strange device, we had access to their company network. In the other case, we had a situation where we went to the conference room and it was planned I opened my laptop, I had some printed slides prepared I wanted to look for those employees who will start coming to work that I am at a meeting with someone who just left, maybe they had a phone I also had a script prepared, I knew who was at work at that moment, who was not, etc. I opened a can of drinks, sat down and started connecting to their network and analyze how this network looks like. It turned out

that the network is cut off, I have access to the Internet, but I do not have access to their company network. I was told that I have a maximum of two hours to work and we will see what I can do and then I have to go out. So I looked around the room and started watching various devices. It turned out that they have a video conference system. I used the cables that were for this device, I plugged them into my computer and it turned out that I was in a completely different VLAN and this VLAN had access to servers. There I started testing some simple password-reliable, several such scans on the network to show

me that it was possible because I did not have time for some more complicated escalation. In the end, I found a computer somewhere in the closet that probably served them sometimes to present something. It was blocked by password, I had not much time so I didn't fight with booting from getting passwords, con-bots etc. I did a very simple thing I cloned this MAC address, I plugged into my computer and cloned this MAC of this computer And again I plugged into their company network, in this guest, but with this MAC of this computer And of course Switches set me in their company network and I had access to the whole network I went out, I gave

the can back, because there were no trash cans anywhere, it was a very sterile office, I gave the can back to the lady at the reception, thanked her for the meeting and left. Among other things, someone came to this room, opened the door, looked at what was going on, I said good morning, someone said good morning and left. This is also not the best perspective of how we take care of physical safety in companies. Finally we had a situation like Mission Impossible. The client said: "Ok, we have a server in our company, it is secured, you can't enter it. We don't know how to enter it, it is so safe that it is the safest

in the world. Show us at least a picture that you can enter there." We said: "Ok, challenge accepted." Why not? It was complicated, we knew that there would be no entry behind the employee, card cloning, it was really a very well secured system, so we have to think completely differently than always. We found a man who was once in their server room from an external company, because he was servicing them power supply. And we asked the client: we have such a scenario, a bit like from the film, abstract, we will try to make it, whether it is correct. The client said: of course, it is impossible, try it. We made a deal with him, we

signed various documents, NDAs, we agreed with him that when you enter his server and take a photo, you get more money than normal for such an attempt. He said: "No problem, it will work out." He went to the company that managed the building for protection. They knew him because he was there twice a year on the servicing of various devices and he said I have to go to that company, check something there because there is a service every year, etc. He took this guard from that company who was completely unaware that he was a bit of a puppet and went to the reception with this guard and explained that we are here because we have

to do a thorough verification, service, etc. It was also so structured that The main admin was not at work at that time, we knew about it from the reconnaissance, so there were younger employees. And they built a trusted profile together and convinced the employee to enter the server room. He pretended to check some voltages in the cabinet. and that's it. Impossible became possible. And this is the whole presentation. I would like you not to think about attacking, but about defending yourself. That you are 100% safe. Today I hope you realize that this does not exist. It's always a matter of costs. As a defender we can raise these costs, we can make someone switch to

another company or if you are the target of the attack, it will cost someone a little more, and you will be given time and maybe in this time you will find out that you are the target of the attack and you will be able to secure something in some way. Security is a process, it is a truism, we have been talking about it for 15 years. But it is not like you will do such tests from an external company, repair the paths that we will show you and say that now it is safe because we repaired the door and we repaired the network configuration, etc. There are always many ways, I don't want to say

that there are infinitely many, but there are a lot of them. It is very difficult to secure infrastructure for all ways of attacks. We usually do this job in addition to reports, in which we describe everything, we give employees access to such an educational platform, where we teach them basic hygiene from security management. We do presentations for employees. If you want to do anything from such attacks on companies, This is a very important element. They will talk for three days in the social room that hackers attacked them, that they were using small computers, a keyboard that was in pendrives. It's a total cosmos for them. They go home and tell it to their wives, husbands, lovers, everyone. It works great because it stays in their heads. And

they will think differently and will react differently after such an attack. This is the biggest gain from such attacks on education. We discuss with them at such meetings and ask why it was so, what could be done better, what they know about, because sometimes companies know that there is something, but it is impossible to convince people to some investments and then such tests also help in this. In short, things related to defense. A few points: Of course, you need to know what is happening in your company. Whether it will be simple free software, or SNMP, you need to know what is happening in you, how to detect anomalies. This is a very complicated problem, you

can talk about it for hours at workshops. If you have any customer service office they should know that when users call you that something is going on they can call IT department and say that there is a strange situation because three people called and they say that some strange message was displayed on the website because when we talk about communication with employees, train them, practice, use regular USB if you don't want to do anything really dangerous, create .html files on USB if they click, they will be redirected to some website and then you will know that someone clicked it is completely non-invasive, it does not run any code on computers, because companies also have resistance

to it, but you will be able to start something And of course, manage incidents, we talked about it a bit on examples Don't necessarily teach your IT department to do it, to curse, etc. because it is a very bad way to manage incidents Teach people to communicate, it is very important. If your employees are afraid to call these crazy guys from the IT department when they see some strange email they will not report it for sure they will be afraid they must know that this job is for them it is very difficult really we know well as IT people that we are specific and learning to talk to normal people is very difficult for some of us I really recommend work because it is very important technology, people, risk

analysis there are many aspects we only talk in short informatics, search engine you are a bigger company It would be good if you would think who can help you with providing such proofs, who can help you find such attackers, but this is done somewhere after, it is not done during the attack, during the attack you have to stop bleeding, block access to these servers, to the pages, etc. etc. to minimize access, change the authentication data that is reliable to its employees quickly if there is suspicion that for example, someone stole such data from phishing employees if there is suspicion that there is the use of the same passwords in different services then you make changes

to these passwords, you force the employees and this is very important at this point. In terms of critical updates, we are talking about it too, 15 years and as you saw from the last few months of my ransom, it is very difficult in large companies where there are systems that are difficult to update You can't just add updates, click because for example programming stops working, this is a real problem. We meet many times, but the point is to have as few critical vulnerabilities as possible in the company and that they are as short as possible in your environments. Slow down the attackers in various ways, reconfigure the network. so that you can react during the

incident not by a curse but to block those pages, domains, IP addresses etc. Some additional material will be there for the presentation later. Our quizzes where you can test yourself in a simple way. You will recognize dangerous elements, dangerous mails and possibly for you with Adam from Zaufanej 3rd strony we do training on web and mobile apps hacking and security. The code is very simple, you don't have to decode anything. If you are interested, usually open in Warsaw or closed, as some company does, I would like to thank you for your attention. If you have any questions, I will try to answer them. I didn't want to ask you. My friend is doing red teaming professionally and he does it on a really good level,

that's why I'm afraid. No, I don't think he will. From your experience, say, for so many years you were doing pentests and red teaming, what are the most common faults you encounter in tested environments and why are they not zero-day faults? I'm mainly talking about the default password and USP. These are the things that people related to security have been talking about for 15 years. Updates on servers and workstations. It's a cool question because it's still the same. For 15 years, password reuse, people use the same passwords or create simple passwords that the service doesn't technically force them to use. There are things related to the fact that we are educated and people are not aware of what they are doing. We

have been teaching people for 11 years that they should have strong slogans for their various corporate solutions because the policy of slogans says so. And it makes no sense, because the employee has it somewhere. He doesn't care about it at all. We should explain him two things. First, how to create strong passwords, how to remember them easily, so that he has a method or use the manager of passwords. It was a golden solution in this case, if we talk about this problem. To explain to him what it is for. These strong passwords are for example, not to steal money from our company and then we will have money for a nice corporate party. And then

it changes a bit, because then you think: "Oh, damn, we would like to go crazy, to be at a party, if there were no money, it would work a bit differently." And the second very important element, I think it's one of the most important, explain to people that imagine that you clicked an email at home and someone stole your money, not the company's, but your money, or as we have ransomware today, encrypted your data and your photos from your whole life. and it slowly starts to reach them differently than, as you say, corporate money, because it is still foggy. Going back to this education, network separation is a problem. As we see 2-3 VLANs in a company, it means that it is a company

of the highest technology. Someone tried, wanted to know what these VLANs were, configured and managed to share it. This certainly helps a lot. Hardening is not a topic I will not talk about, because it is not enough to strengthen your community. Waste resources and wrong regulations. Waste resources are the most important thing. If you are making dumps between servers, you are putting it into TMP, the settings are 7.5.5, the dump stays there, because they just called you that there is a fire that needs to be extinguished. The dump stays there, sometimes we find data on servers that are two years old in some strange catalogs. And this is also, I think, key, it is very useful, this combination of information that we find

in various small places. And it doesn't change all the time. It's still there despite the fact that, I don't know, in operating systems we have more and more difficult to bypass various security mechanisms, people are not educated and make the same mistakes. With updates, what I said, it seems to people who do not sit in large companies, They should be able to update their script at night, everything is updated. And in big companies there are a lot of political problems, because it is working and they don't like it, they are taking risks and they are pushing each other. And that's why they are fixing the vulnerabilities. Even though they know, because they have an automated scanner, or a company like us comes and we point out these errors.

And they know, there is a critical error that enables, for example, reading the server memory or running remote commands. And it takes for example 3 months. In big companies it is very complicated. Any other questions? Yes. From your experience, do you have clients, companies in which, for example, a person responsible for security Do you think about security not only in terms of hardening, patching, protection, but also about detection, attacks and the next step, which is to react. What should be done in the situation when there is an attack? It changes, because in the last years, we say at conferences that someone will attack you. And now don't learn until the moment that we defend ourselves and don't attack, but start learning what to do then. And

what we see, i.e. fashion for SIEM, fashion for juices, managing incidents, etc., it results from the fact that we all know well as defending people, even we as attackers, but in fact as helping defenders, we know well that we are losing. The biggest companies with the largest budgets, billions of dollars, everyone is being stolen. And this is sometimes by teenagers, sometimes by such intelligentsia as Adam showed. And what about that? It is really difficult today in this complicated infrastructure where we have people, technologies, processes to secure large infrastructure. And of course there is a trend that it is moving more and more. Let's discuss what will happen to the incident. What will happen if they

steal us? Do we have ready press releases? Do we know who to report to? Or are we just looking for companies in the Internet, and what are the companies related to security that can help us? It's too late for that. And what next? How to communicate with clients, employees, co-owners, etc. Such a trend comes and it is already visible in Poland that people start thinking Of course, it usually comes from larger companies with larger budgets, but this dialogue slowly changes people with security and business. We explain to them many times that you are not absolutely right, that you bought an antivirus, two nice boxes for the server that blink, but you didn't connect them at

all, because it still happens, and you spend 80,000 dolts on them and every year you spend 40 more, that it makes you safe. Absolutely, it didn't work that way. Any questions? I have a question. If I understand the service well, if I were the owner of the disco, you would come, let everyone go, make a photo documentary and give it to me as a report. The question is: to be able to translate it into profit for my organization, for my clients. It depends a lot on the purpose, first of all. Do you care about raising the safety of users, in this case dancing and drinking people? Do you care about your guards behaving more culturally to people or being more trained? And then, you know, in the recommendations

we could send them to karate, crossfit and eating jarmuż. to be educated and strong, but it all depends on what we want to achieve. Maybe HD cameras, IPTV, of course only on the internal network and separated from the Internet. I understand, thank you very much. Did you have a situation where you received a specific order from the company and you had, let's say, one or two days to complete the task, but it didn't work out? That you didn't get it to the company? It's a bit different. If we get a certain range and say, for example, we are talking about phishing, let's say We know that the company has several dozen people, we say that

it is, for example, 4-5 days of work and it will cost this much Not the other way around, because then it makes no sense We can try to do it, but if someone wants to cut costs and do it for one or two days, we can do it, but from experience we know that we haven't done it yet, we could discuss it with the client, but we always explain that it makes no sense. The question is whether he really wants to verify something and find out how it is, or pretend that he is verifying something to show and so on. And then we say that it is not our role. In all these tests where

we have some kind of social technology, We have 100% efficiency so far. It was not possible to not steal any sensitive data. I wanted to start with a question about the secret of your workshop. How do you aggregate this information? Is there a table, each has a calendar, each has a shared file? How does it look like in your kitchen? There are several tools. free ones, which you can download from DRADIS and other solutions which try to aggregate this type of information. This is a huge problem, because on a certain scale this information is hard to aggregate. We have our own tool and I will admit that I sometimes get lost in it with a lot of information. Today we are a

bit taught how to manage it but it's not easy to do it. I agree. You also need to arrange it properly in such a tool. In the simple version, it can really be done with a simple solution, but it depends a lot on the scale. If there is a large company, it is not the case that if there is a company that has 2000 employees, We collect information about each of the employees, because then we would be doing reconnaissance for a year. We select some groups, we watch them, we select them for our purposes, we select some people, etc. This way the level is reduced a bit. But generally it is a problem, because the amount of information is enormous. Especially in this phase of reconnaissance You don't

know what else you will need Sometimes we really needed such information from the cosmos Someone on some announcement that he wants to sell his card to the gym gave his phone number This phone number, for example, when we logged in to some service, this service asked us to give your phone number to check if you are there And it was in some announcement, not at all on the subject, and it was this company number that we could enter and steal the whole post office So it's not an easy task. I agree with that. Let's move on to the attack phase. You mentioned classic penetration tests, where they enter and look at every window in turn,

whether it's open or closed. You find one and enter through it. What if there's another one on the other side of the building and what's the client's point of view in this case? Will you take the next order in a week or what? We always talk to the client, it depends on the client's awareness. The fact that you come today and do a penetration test or anything else doesn't mean that you are 100% safe after the penetration test because it's hard to prove that especially in such tests where we don't usually have access to source code and so on, we only test it from the perspective of an outside attacker you never have a guarantee

that you will find all the errors because in half a year some magic will appear that will invent a heart bleed somewhere in the library and something will be possible to do. That's why safety is a process. That's one thing. The second thing is that it depends a lot on the client's awareness. You test the company only in a given outflow. If today we test, even imagine the ideal situation, abstractly, 99% of errors we found, then tomorrow they implement new corrections to this update, because the business will come and want to have new colors in the chart, new functions, etc. Tomorrow a new employee will be employed who will change the password to "simple". And

we always do this in conversation with the client. We explain to him that there is no such thing as 100% security and our tests help him to find various types of errors that are in the web application for example. But as in the report there are three types of SQL injection through which you can steal the whole database, we always say: let your programmers look below, as they see the code, if they will not find such a mistake as in the place we found somewhere else. And this is also related to education. Do they attend such trainings as ours? Or not? Do they know what is SQL injection? Or they just read the financial resources,

cut out some apostrophe, cut out some words, okay, we cut out these two characters and it's done, right? Repaired. If it is repaired, of course, it will not work. We will check later in the retest phase, whether the errors have been properly repaired, we will find out that someone did it carelessly and then we ask again why? Is the programmer is shy and afraid to call us or send an email and say I don't understand something at the end. And this is also at the beginning in the process of talking to the client always emphasizes that you have questions, ask. We are not here to come and show with a finger that you have it

wrong, you have it wrong, you have it wrong. Because in most companies there is always something to find. It's not about that. Whether some have more or less. It is about showing and the client to learn. We made such mistakes, let's try to do it as little as possible, let's draw some conclusions, let's correct the processes, correct the education of people, etc. But it is very complicated on the client's side. Ok, so let's move on to the summary phase. Could you tell us a few cases from your life, from meetings, to summarize? Did someone just not want to talk to you at the end? Did someone have a very strange reaction? At the end, to

the end of the discussion. Thank you. We have a very difficult role, really, and at such meetings we always explain Why is it all for? Who is it for? That it is never the fault of IT department or employees that the lady clicked or the gentleman clicked that it does not work at all because today one person clicked and tomorrow someone else clicked. We need to look at it more broadly and we always explain it here, but we had a situation that, for example, The employee locked himself in the IT department We got a signal from the client that for two months there was practically no contact with him He was doing something, he was

coming, he was closing the tickets, but he was angry Although he was at the meeting, he was with us at dinner, we talked, everything was great, he knew what was going on, etc. Two days later he locked himself in And we always explain it to the client that this type of tests These are not penetration tests of the normal type and that's why there are not many such orders. These are really selected cases. We mainly do classic penetration tests, because the client must again be aware that anything can happen. Imagine such an extreme situation, that such a person, for example, committed suicide after such tests. Extremely, but why not? If someone would personally pick it up. From another situation, we also know such a moment where the

employee came after the phishing tests, came to a person who knew, who was an administrator and knew that there were these tests. And she came to him and said: Tomek, I like you, you don't like me, we've known each other for so many years, and you didn't tell me that there would be such tests. I clicked and she didn't answer the guest for half a year. You have to be aware that this is a very sensitive area and you have to do it very gently. This is a risk. Certainly not all companies will decide on this, because it is a very specific test, that's why I'm talking about it today. Because this is a very sensitive job. I have a question.

During such physical tests, Do you expect someone to put a bullet in your knee or break your leg or break your tooth? That's why I like these tests. How often do you meet BSD systems? Do you mean Net, Free, Open or general? Dragonfly BSD. When it comes to the BSD system, I recently read an analysis and it seems that there are only 8 users of these systems. Therefore, we actually met once on the BSD system server. It was OpenBSD and as you know, it is not to be broken. A question from the Internet. Dawid Skórka asks: "I wonder how to convince the admins of the domain to increase the number of signs in the hashtag that explain it. If we increase

it, people will start holding the hashtag on their cards next to the monitors." Yes, it is a huge problem. And now the question is whether the employees are taught to memorize passphrases, for example, four sentences that are easier to memorize than some random row of characters that has 20 characters and cannot be memorized. like 4 words that are not connected and are easier for the employee to remember, then the password is long. And the question is whether such an education has been carried out. If not, then it will work. And this is of course very difficult, because even today in the recommendations of such an organization that suggests what to do with security, it is said that the password change is often rejected. If

we have in GeoDo that once every 30 days the password should change etc. This is not the best way because the employees will add a given month and year at the end of this password. And it also happens all the time. Therefore, it must be done from many sides. It is not that we will go to the IT department We will say: "OK, increase the minimum space of signs by 20 and then everyone will start using it and it will be really safe." It won't work like that. Employees need to know how to remember such passwords in a simple way. It's also a multi-stage process. It's never easy to change one setting to two. We

turn on two VLANs and we have a separation of the network. We turn on long passwords and we are secured. It never works like that. I have a question about the recognition. How bad can it end? Or did it end badly that someone did a reconnaissance and the other person was just doing a sociological attack? Basically, it was not her who did the reconnaissance, she was using materials prepared by someone else. Is that the first part of the question? I don't quite understand the first part of the question. How could you explain it? So basically there are two of you in a team. For example. And you do reconnaissance and I do social engineering. Is it bad? That you did the reconnaissance and you know

what to do. In every job, you probably know it today because you are a little older than the younger one, communication is key. Exactly. It's not like I'll put three information into some system and the other person will read them and know everything. It doesn't work like that. We discuss, discuss the problem, what is the goal, what do we know, what have we learned, what comes out of this reconnaissance phase, maybe someone fell for something. How could we attack them? And so on. And from this communication, it turns out that a person is dependent. If someone walks physically, he must have his head packed with a lot of strange information. So generally, if a person

walks physically, should this person usually be taken to the reconnaissance? Not necessarily. This person should have this information in his head. So if a friend found something and it is crucial from the perspective of entering the company, someone else should say "Do you remember that there is a very large guard downstairs and because he has a cap, he has to wear a bulletproof vest" I would forget. To simplify, it is very important. This is of course the exchange of information. The second part of the question? You just answered. We have a few more minutes. - To the previous question about the kneecap, could you tell us about the worst experience you had working in the field? - I didn't have anything worth mentioning, to finish

it off. I know from competition that there was a silent alarm at night Our friends were not prepared well because they never stole professionally and did not leave the sensors outside. Therefore, the security came and the guy was hit with a crutch and had a problem that the dentist would come later. This is one of the things I associate with the situation where the employees, when they found the people, they said that they had a document, that it was red teaming, and the employees said that there was nothing like that, that it did not exist, they locked them in a room, they called the police, they started talking to them. and then they called a member of the government who

knew about it and he confirmed it, etc. but in the first round they acted the best they could, that there was no discussion. I know such situations where the guests were on red-teaming, someone stopped there: "What are you doing here? You can't be here, there is a server space here, etc. The guest pulled out the paper and said: "We are doing security tests here." And they left them. So strange situations have happened. I hope that these knees will not shoot, and if they shoot, at least one, the other will remain, it is a failover. I have a question. How should a pentester behave at the entrance when the guard is about to grab him? You say

there's no discussion and you let yourself be caught, so you're calm. How should it look like? Generally, you just cut his ribs and run away. I mean, we do that, right? I don't know how competition works. It always depends. You always discuss with a person and you try something, you check and so on. You can use a person's name and so on. It's always a total improvisation of the knowledge you've gained before. And it ends differently. We usually didn't have such a critical situation that the security guard would somehow pull us and so on. There were always two or three sentences. You know, you know well, if we're talking about security guards and not employees, they work for so much money per hour that

if you tell them that you will change the name of the director and he will give you the keys, you will open the door, etc. They are afraid that they will get some kind of punishment. But it depends on the person you meet. And you play to the end, so you try to defend the story somehow, but if You have to have a defined limit, that if it is exceeded, you give up. It's not bad, you have to be mentally prepared for it. Emotional load is incredible. Even a simple entry to the company, saying "hello", when you know that your goal is to read a paper with a password, for example, which is somewhere there and

you start talking, etc. This is always an adventure. These stupid questions are... I would also like to ask if there are limits that you would not exceed? Do you set a penal code, a moral code, or will you do everything for money on Reptiminda? Mateusz, it always depends on the number of zeros. I understand, thank you. And how many zeros is the highest limit? I do everything for 300 PLN. I propose a discount, there is streaming. We can do crowdfunding. Do you have a question? These stupid questions are from someone from our team. I wanted to ask a stupid question. He won't admit it but it's red teaming. But I wanted to ask a stupid question. Did you find Mateusz's questions before? Again? Did you find Mateusz's questions before?

No, absolutely not. The whole game is about that. He thinks of them live. He didn't know them 10 seconds ago. So the pleasure of the game is about that. I have a question. When you were doing the pentest and you landed on the machine, did you happen to have someone on it? I mean, was there a guy who attacked you while not doing the pentest? Pentests are only illegal. It didn't happen to us. The probability is low. We don't focus on checking if someone else is in the system, we want to hide ourselves there. So it could happen that during the tests someone will find out that the machine behaves strangely, has strange catalogues, strange

information and then of course you have to report to the client that everything indicates that we are not the first. It can be like that. It can be the result of previous tests, after another company or after a foreign interview. Last question. Have you ever had a situation where you did pen test after someone? Yes, we know companies where we knew that they test every year Every year it's harder and harder. Employees educate themselves, people are hardening their network system and so on. And then it's nice when you know about it, then you know that standard macro won't work. You're already thinking in different ways. I was more concerned about whether there was a situation like

"Oh, sir, who screwed it up like that?" Like in the repair, right? We try to do our job and the client judges it, not to discuss how the competition is. Competition is all about our friends. If we find out that someone from our competition did something really bad, then we usually meet at such a conference and say: "Piotrek, what have you done to Mania? Don't do that, I know it's for a quick drink, but don't do that" Just kidding, but that's how it works. It's not about showing it to the client. If we can influence the client's safety, we discuss it, but not to show it to the client. And these are just some random people. We all know each other, we all know

who does what for whom, we all read each other's mail in competition. One more question. When you submit a report to a company, how often does it happen that the question from the company or the client is about comparing with other companies? Yes, clients ask this. Was it that bad? And so on. And then we say that if it's Sociotop, then 100% and so on. If it's a big company, then always something will come up. If not a window, then a door, if not a door, then a helicopter and so on. We try to say it in a subjective way. You had bad, bad, bad, but good, good, good. It's important to emphasize that it's not just a tragedy. You have areas that you did

well, unless it's a company that does everything worst. But usually there is an area that is good. There were both good and bad things. Clients like to position themselves. If it's not so bad, maybe we don't need to increase the budget. There are such discussions. I think we can move the rest of the discussion to the couloirs, because it's really time. If you have any questions, write. Thank you very much once again for the questions.